General Interface Setup

However, if the camera needs to be accessible from the local network (Intranet) and from the Internet, two web server ports can be defined for security reasons, so that local network and Internet access can be clearly separated.

Example:

Within the local network, the camera is accessible via port 80 and can be integrated in a MultiView display, for example. Access from the Internet uses a router connection with a mapped port to the camera. As port 80 is used already on the local network, the router channels access from the Internet to a different camera port (e.g. 8080).

In this case, you would have to enter the values 80 and 8080 for the ports.

Modify these settings only if you are fully aware of the consequences. One single invalid setting may render the camera unreachable.

Notes:

Any modifications of this setting require you to Reboot the camera to become effective.

If no ports have been specified, you can reach the camera using the default port 80.

Enable HTTP

Select this setting if you would like to enable unencrypted connections to the camera's web server. In this case, the web server opens the port(s) specified in Port or ports for web server for HTTP requests.

Note:

Make sure that at least one of the Enable HTTP and Enable HTTPS options is activated, since the web server of the camera will not accept any connections otherwise.

Enable HTTPS

Select this setting if you would like to enable encrypted connections to the camera's web server. In this case, the web server opens the port specified in SSL/TLS port for HTTPS server for HTTPS requests.

Note:

Make sure that at least one of the Enable HTTP and Enable HTTPS options is activated, since the web server of the camera will not accept any connections otherwise.

SSL/TLS port for HTTPS server

Specify the TCP port for SSL connections in this field. You can set only one port for HTTPS. If this field is empty and Enable HTTPS is activated, the web server will use port 443 (default) for HTTPS requests.

Download X.509 certificate

This button is only active if the camera contains an individual X.509 certificate. Use this button to download the X.509 certificate and the corresponding private key in PEM format currently used by the camera's web server to your computer.

Replace the X.509 certificate and private key currently used by the camera

Parameter

Description

Delete the X.509 certificate

Deletes the X.509 certificate and corresponding private key currently used by the camera. After rebooting the camera, it will use its factory-supplied self-signed X.509 certificate again (factory default).

Upload the X.509 certificate and private key

Replaces the X.509 certificate and corresponding private key currently used by the camera. This X.509 certificate and the corresponding private key have to be created and signed by an external certification authority.

In order to upload a X.509 certificate, enter the file name of the certificate file (in PEM format) on your computer. If you would like to upload a X.509 certificate and the corresponding private key stored in one file, you can enter the file name to the file in this field.

Upload X.509 private key from file

In order to upload the corresponding private key for a X.509 certificate, enter the file name of the file (in PEM format) on your computer. If you would like to upload a X.509 certificate and the corresponding private key stored in one file, you can enter the file name to the file in this field.

Passphrase

Enter the passphrase if the private key has been encrypted with a passphrase.

Generate self-signed X.509 certificate and X.509 certificate request

The fields of the form correspond to the fields of a X.509 certificate.

Parameter

Description

Common name

Abbreviation: CN. This is the only required information in this section of the dialog. Enter the complete DNS name (Fully Qualified Domain Name) of this camera. It is also possible to enter an IP address, but this is not recommended. Make sure that this field really matches the DNS name, which you use in a web browser to access the camera since the certificate would be invalid otherwise.

Abbreviation: OU. Department/work group of the certificate owner (optional).

E-mail address

E-mail address of the certificate owner (included in CN, optional).

Note:

If an external certification authority should sign the certificate request generated using this function, make sure that you follow the guidelines of the certification authority on the optional and required fields and not the recommendations of this form. The self-signed X.509 certificate has a validity period of 10 years. The key pair is 2048 bits long.

Procedures for Using and Creating X.509 Certificates

HTTPS with SSL/TLS is not Being Used

The X.509 certificates used in this dialog do not affect other areas of the camera and will be ignored if HTTPS with SSL/TLS has not ben activated.

HTTPS with the Factory Default X.509 Certificate

As soon as HTTPS has been activated and the camera has been rebooted, you can use HTTPS. The camera will then use its factory-supplied, self-signed X.509 certificate that is identical for all MOBOTIX cameras. This certificate will not offer much security as it cannot guarantee the authenticity of the camera. This would allow a potential attacker to manipulate the data stream even though the camera uses a high-performance encryption scheme ("Man-in-the-middle" attack).

Make sure that you save the changes permanently before rebooting the camera (click Set, click on Close and approve the prompt).

When first accessing the camera after the reboot, your web browser will tell you that it cannot verify the certificate and will ask you, if you would like to accept the certificate anyway. The next step is relevant for security: Make sure that you only accept the certificate if you are absolutely sure that you are actually connected to the certified camera (e.g. by directly connecting the camera to the computer using a crossover cable). Note that you will have to accept the certificate for each accessed camera. This certificate is sufficient for securing the data transmission, but it is not the optimum yet. The authenticity of the camera can only be verified if the certificate of the camera is known beforehand.

HTTPS with an Individual, Externally Certified X.509 Certificate

Option 1: You can upload an X.509 certificate and the private key to the camera. To do so, use the function Upload the X.509 certificate and private key in the section Replace the X.509 certificate and private key currently used by the camera. You can purchase an X.509 certificate and private key from an external authority or you can run your own certification authority, e.g. by using OpenSSL. In this case, it is not required to generate a certificate request beforehand. A certificate request already present in the camera will be deleted upon executing this function. Every camera requires an individual certificate from the certification authority.

Option 2: Create a certificate request on the camera. The certificate request will be created together with the self-signed X.509 certificate (see HTTPS with an Individual, Self-Certified X.509 Certificate). As soon as the camera has created the certificate request, you can download this file in the Web Server section by clicking on the Download button behind Download X.509 certificate request. Send this certificate request file to the certification authority for signing. Until you receive the X.509 certificate from the certification authority, the camera will use its self-signed X.509 certificate.

Upload the X.509 certificate signed by the certification authority using Upload X.509 certificate from file in the section Replace the X.509 certificate and private key currently used by the camera to the camera you would like to certify. This option has the advantage that the private key does not leave the camera, again enhancing its trustworthiness. Every camera requires an individual certificate from the certification authority. The certificate request, the certificate and the private key belong together. It is not possible to upload a certificate into a camera that matches the certificate request created by a different camera.

Such a certificate guarantees the optimum security for data transmission, since the camera's authenticity can be verified against the root certificate of the certification authority. "Man-in-the-middle" attacks are not possible any more. Moreover, it is not necessary to download the certificate of every camera as is the case with the self-signed X.509 certificate. All you need to do is to import the root certificate of the certification authority into the browser, once. The root certificates of commercial certification authorities are usually already present in the modern browsers.

Intrusion Detection Settings

The parameters in the Intrusion Detection section provide an additional protection layer against unwanted intruders. If an intruder should try to access the camera using "brute force" methods to guess user names and passwords, the camera send an alert and can automatically lock out the offending IP address after a certain number of failed attempts, if required.

When Does the Camera Trigger an Alert?

The Notification threshold controls the number of allowed failed attempts when trying to establish a connection to the camera (minimum value is 5). The alert will be sent off, if this number is exceeded.

Caution:

Even if a user with valid credentials accesses the camera for the first time, this causes a failed attempt. The browser on the user's computer needs this first failed attempt to recognize that this website need authentication credentials, prompting the browser to show its user name/password dialog. This weakness of the HTTP protocol is "by design" and hence unavoidable.

Timeout and Deadtime

Successive attempts of a user when trying to access a URL will be combined to one entry in the Web Server Logfile. This entry only contains information on when the user accessed the camera and how many access attempts of this user have been recorded during the specified time span. If a user accesses the camera again within the time span specified in Timeout after the last access, this additional access will be added to the existing entry in the Web Server Logfile (increase access counter by one, update date and time of the last access).

If the new access of a user occurs after the time span specified in Timeout, this access creates a new entry in the Web Server Logfile. This procedure will be applied to all authorized and unauthorized accesses. Intrusion Detection uses the data from the Web Server Logfile and is hence influenced by the Timeout parameter.
A Timeout value of a few minutes will make distinguishing the individual access attempts easier. On the other hand, this will also increase the possibility of false alarms, since a successful access attempt cannot be added to a preceding failed attempt. The default value is 60 minutes, which is a good compromise.

The Deadtime controls the minimum time between two successive alert notifications. Once a notification has been sent, a new notification will only be sent if the deadtime has expired and the number of failed attempts has again exceeded the notification threshold. The default value is 60 minutes. Setting this parameter to 0 will prompt the camera to send a notification on every access attempt.

Notification Options

If the camera triggers an alert, it can use the following options for sending notifications:

E-Mail Notification: Sends an e-mail according to the address and login information specified in the selected e-mail profile.

Phone Call-Out: Places a phone call according to the options specified in the selected phone profile.

IP Notify: Sends an IP Notify (network) message according to the address and login information specified in the selected IP Notify profile.

Note:

When sending an e-mail notification, the camera will always append the Web Server Logfile as an attachment, independent from the attachment specified in the e-mail profile.

The alerts triggered by Intrusion Detection are independent of the other alerting mechanisms and the event storage of the camera. If an alert triggered by Intrusion Detection should appear in the event storage for camera images, you should proceed as follows:

Create a IP Notify alert from the camera to itself (new profile in the IP Notify Profiles dialog to itself, e.g. by using 127.0.0.1:8000 as the Destination Address).

Automatically Blocking an IP Address

If IP-Level Access Control has been set up, the camera can use the Block IP Address feature to automatically block the IP address from which the unsuccessful logins had been attempted. This lock will be triggered if the Notification Threshold is reached; it is temporary and will be lifted upon the next reboot of the camera.

Note:

If an IP address has been granted access in the IP-Level Access Control dialog, this IP address cannot be locked automatically. If you would like to activate the automatic locking of any IP address, you should delete all Allow access rules in the IP-Level Access Control dialog.